Your message dated Fri, 26 Dec 2025 13:02:35 +0000
with message-id <[email protected]>
and subject line Bug#1122582: fixed in rust-sequoia-openpgp 2.0.0-2+deb13u1
has caused the Debian Bug report #1122582,
regarding sequoia-openpgp: CVE-2025-67897: DOS (crash) via special crafted
encrypted message
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122582: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122582
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rust-sequoia-openpgp
Version: 1.1.0-3
Severity: important
Tags: security
https://gitlab.com/sequoia-pgp/sequoia/-/commit/b59886e5e7bdf7169ed330f309a6633d131776e5
which was first released with rust-sequoia-openpgp 2.1.0
describes (and then fixes) the following problem:
openpgp: Fix an underflow in aes_key_unwrap.
The `aes_key_unwrap` function would panic if passed a ciphertext
that was too short. In a debug build, it would panic due to a
subtraction underflow. In a release build, it would use the small
negative quantity to allocate a vector. Since the allocator
expects an unsigned quantity, the negative value would be
interpreted as a huge allocation. The allocator would then fail
to allocate the memory and panic.
An attacker could trigger this panic by sending a victim an
encrypted message whose PKESK or SKESK packet has been specially
modified. When the victim decrypts the message, the program would
crash.
Reported-by: Jan Różański.
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
Ich glaube die Letzte Generation ist die erste kriminelle Vereinigung in der
Geschichte, deren einziges Ziel es ist, dass sich die Regierung an die
Verfassung und ihre eigenen Gesetze hält. (@muellermusik)
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: rust-sequoia-openpgp
Source-Version: 2.0.0-2+deb13u1
Done: Holger Levsen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-sequoia-openpgp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <[email protected]> (supplier of updated rust-sequoia-openpgp
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 22 Dec 2025 16:27:34 +0100
Source: rust-sequoia-openpgp
Architecture: source
Version: 2.0.0-2+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Holger Levsen <[email protected]>
Closes: 1122582
Changes:
rust-sequoia-openpgp (2.0.0-2+deb13u1) trixie; urgency=medium
.
* Add upstream commit b59886e5 (via debian/patches, edited to apply cleanly)
to fix an underflow in aes_key_unwrap / CVE-2025-67897 to prevent DOS
(crash) via special crafted encrypted messages. Closes: #1122582.
Checksums-Sha1:
65187341b86cab45df01428c4af769b58973dca0 3712
rust-sequoia-openpgp_2.0.0-2+deb13u1.dsc
c892b91f18c3169126e995a6102b4f52a26599a9 9908
rust-sequoia-openpgp_2.0.0-2+deb13u1.debian.tar.xz
453c30d49875a846e097e3ee455302c007ac5893 7424
rust-sequoia-openpgp_2.0.0-2+deb13u1_source.buildinfo
Checksums-Sha256:
b3ff010f9ae8faeb8e459f89b6fa6de66647556de239c8d46e3a410f047bc1fc 3712
rust-sequoia-openpgp_2.0.0-2+deb13u1.dsc
817b79e4f22a69844a0a4e44e4154ba8d4f85ccd488f563dd67d08a8d350eb74 9908
rust-sequoia-openpgp_2.0.0-2+deb13u1.debian.tar.xz
bfac78599fa633da9caefe89685a80628eb87457924ce6c4016ccdcefc5168af 7424
rust-sequoia-openpgp_2.0.0-2+deb13u1_source.buildinfo
Files:
72903aae0835654b2ef8d66866e9425c 3712 rust optional
rust-sequoia-openpgp_2.0.0-2+deb13u1.dsc
614762866d1ac11e9e9165427f2c60ae 9908 rust optional
rust-sequoia-openpgp_2.0.0-2+deb13u1.debian.tar.xz
6b0ae11bcfc1def10ea4c9155f6ac8ea 7424 rust optional
rust-sequoia-openpgp_2.0.0-2+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmlL4G8ACgkQCRq4Vgaa
qhzn1g//RJ5lROGbN6cYL4+7yiQXnrIozxF7Z/UJHgeOWj9Z9EFnEq1xEr8cjJaZ
EeF7pLuy9NxjnNx+79avc+VrM6W0y3MOzJTrcSQDk4lscptAH9Mfbd34wah9bCCL
VE80muFfngYqfFg+xLSOcuCcSDL51ON/3y/5tSP4YgryAga627PzdCL97Bau1BUC
Itq+FmByFkMZxXgSEc7BJnCKqmizBT0QSgzaolBwhzZP9Z+MJTcJ3LVsxmurlD+O
h1i7AvE8Vshm9txMk98qxyvjlA601a5xu83S2Lsic/WPOYKUHNRnaIJpow2/bXGA
W+chzo7MeTYu9nEnJUKJ2yYao7raDuxRGzwymcWt/QOWJYcRjPF+Xz+h+k6R9aoL
ETDEVbNm8fDMjbW6yJB9ru6DnCwVulHlnuGtK1vXiRBrShnMuBwnX2qXfJ6hxT1L
Pqk2rYqx7PYXZT4x3R34TvXpC5JQErgtUPRwzYmiY6Xcy7zEcmuajWqzOICBpW6r
lxCWF2shaq8TMCLvSzvIPJzZGnes/qKGvUnJh0ioeA34Z2JWclq6O+uO9d9TZsnC
3k4a8ScQXDcqaA3SwFBC/SudFws8/eIyJz8ujp6BDebfgjmxZnEcw1mqZOfKOS4B
JzEu1+ahB1cvh/n0N43AN/Xe1T8OYd9bUUXhc905KkRVK6T8sQo=
=ZCGa
-----END PGP SIGNATURE-----
pgpQAyuoghZFh.pgp
Description: PGP signature
--- End Message ---
